Gate javascript: navigation on sandboxing flags.
#5083
+9
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As `javascript:` URLs execute in the target browsing context, it's somewhat surprising that they can be executed from a sandboxed document if that document is allowed to create unsandboxed popups. This patch gates `javascript:` URL execution on the source document's sandboxing flags, which is more in line with developer expectations.
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 14, 2019
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 14, 2019
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc
annevk
approved these changes
Nov 14, 2019
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 15, 2019
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 16, 2019
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <[email protected]> Reviewed-by: Avi Drissman <[email protected]> Commit-Queue: Avi Drissman <[email protected]> Cr-Commit-Position: refs/heads/master@{#716035}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Nov 16, 2019
Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <[email protected]> Reviewed-by: Avi Drissman <[email protected]> Commit-Queue: Avi Drissman <[email protected]> Cr-Commit-Position: refs/heads/master@{#716035}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Nov 29, 2019
… to `javascript:`., a=testonly Automatic update from web-platform-tests Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <[email protected]> Reviewed-by: Avi Drissman <[email protected]> Commit-Queue: Avi Drissman <[email protected]> Cr-Commit-Position: refs/heads/master@{#716035} -- wpt-commits: 89aa3f42131cce5a77268ddaeb2fab8a2e29c2a6 wpt-pr: 20250
xeonchen
pushed a commit
to xeonchen/gecko
that referenced
this pull request
Nov 29, 2019
… to `javascript:`., a=testonly Automatic update from web-platform-tests Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <[email protected]> Reviewed-by: Avi Drissman <[email protected]> Commit-Queue: Avi Drissman <[email protected]> Cr-Commit-Position: refs/heads/master@{#716035} -- wpt-commits: 89aa3f42131cce5a77268ddaeb2fab8a2e29c2a6 wpt-pr: 20250
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Nov 30, 2019
… to `javascript:`., a=testonly Automatic update from web-platform-tests Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Reviewed-by: Avi Drissman <avichromium.org> Commit-Queue: Avi Drissman <avichromium.org> Cr-Commit-Position: refs/heads/master{#716035} -- wpt-commits: 89aa3f42131cce5a77268ddaeb2fab8a2e29c2a6 wpt-pr: 20250 UltraBlame original commit: 5379811f4fed12767e6ebfad53f9612f5424a191
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Nov 30, 2019
… to `javascript:`., a=testonly Automatic update from web-platform-tests Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Reviewed-by: Avi Drissman <avichromium.org> Commit-Queue: Avi Drissman <avichromium.org> Cr-Commit-Position: refs/heads/master{#716035} -- wpt-commits: 89aa3f42131cce5a77268ddaeb2fab8a2e29c2a6 wpt-pr: 20250 UltraBlame original commit: 5379811f4fed12767e6ebfad53f9612f5424a191
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Nov 30, 2019
… to `javascript:`., a=testonly Automatic update from web-platform-tests Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: I3b5fa676e73cbf78485b85ce2593284bce2e68cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1916467 Reviewed-by: Daniel Vogelheim <vogelheimchromium.org> Reviewed-by: Avi Drissman <avichromium.org> Commit-Queue: Avi Drissman <avichromium.org> Cr-Commit-Position: refs/heads/master{#716035} -- wpt-commits: 89aa3f42131cce5a77268ddaeb2fab8a2e29c2a6 wpt-pr: 20250 UltraBlame original commit: 5379811f4fed12767e6ebfad53f9612f5424a191
|
I think so, yes. That said, I think the test is broken in Firefox and Safari (https://wpt.fyi/results/html/browsers/sandboxing/sandbox-disallow-scripts-via-unsandboxed-popup.tentative.html?label=master&label=experimental&aligned) due to some changes in the way |
annevk
reviewed
Feb 11, 2020
| does not have the <span>sandboxed scripts browsing context flag</span> set.</p> | ||
|
|
||
| <p class="XXX"><a href="https://github.com/whatwg/html/issues/2591">Issue #2591</a> applies | ||
| here as well.</p> |
There was a problem hiding this comment.
Shall we move this note outside the list as it now applies to two items?
There was a problem hiding this comment.
This is not the state we should be using, imo. The state we should be using is state at the entrypoint to "navigate", not at this later point in time, just like we do for the sandboxFlags in https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigate step 14.
This even matters if we use the document's sandbox flags, since those can change over time thanks to meta CSP...
|
Anyway, in terms of behavior treating the "source is sandboxed without allow-scripts" case the same as the "target is sandboxed without allow-scripts" case makes sense to me. |
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this pull request
Mar 6, 2020
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1916467: Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: Id3e9ebf7f4082c96a92bdaccaea1dd73f5c9b54b Reviewed-by: Jüri Valdmann <[email protected]>
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this pull request
Mar 23, 2020
Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1916467: Prevent sandboxed frames from navigating to `javascript:`. Frames with the `allow-popup` and `allow-popup-to-escape-sandbox` flags can cause JavaScript execution in their origin by navigating to a `javascript:` URL via `target=_blank` or similar. This is technically correct, but surprising. whatwg/html#5083 aims to tighten that check to match developers' expectations that `javascript:` URLs controlled by a page that's been sandboxed away from script will not execute. Bug: 1014371 Change-Id: Id3e9ebf7f4082c96a92bdaccaea1dd73f5c9b54b Reviewed-by: Michal Klocek <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As
javascript:URLs execute in the target browsing context, it'ssomewhat surprising that they can be executed from a sandboxed document
if that document is allowed to create unsandboxed popups.
This patch gates
javascript:URL execution on the source document'ssandboxing flags, which is more in line with developer expectations.
💥 Error: Wattsi server error 💥
PR Preview failed to build. (Last tried on Jan 15, 2021, 7:59 AM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.